Stay Informed

This week, read about:

Critical Kubernetes Image Builder Vulnerability Exposes Nodes to Root Access Risk.
MySQL 9.1.0 Innovation Release.
OpenLogic Hadoop Service Bundle Launched to Help Manage Your Big Data Infrustructure.
CentOS Stream 8 End of Builds Was May 31, 2024 and CentOS Linux 7 End of Life Was June 30, 2024. Get the Definitive Guide For CentOS EOL.
OpenJDK Spring 2024 Release Downloads Are Now Available on OpenLogic.
We Have the Latest Versions of OpenJDK Versions 8, 11, and 17 Now Available.

Security Based Updates

Updates to the OpenLogic CentOS Repository
*) OpenLogic’s Enterprise Linux Team has recently published the following updates:

CVE-2023-4911
- CentOS 8
  - glibc-2.28-164_ol002.el8
CVE-2018-25032
- CentOS 8
  - zlib-1.2.11-17_ol002.el8
CVE-2022-2526
- CentOS 8
  - systemd-239-51_ol001.el8_5.2
CVE-2021-4157
- CentOS 8
  - kernel-4.18.0-348.7.1_ol001.el8_5
CentOS 6
- tzdata-2023c-1_ol001.el6

We recommend that you update your CentOS 6 systems to ensure proper timekeeping. As usual, please ensure that you test these updates before deploying to production. If you don't currently have CentOS repo access, please reach out to your Perforce/OpenLogic salesperson … you may already be entitled to access with your existing support contract!

OpenLogic AngularJS 1.6.15 and 1.8.8 released
Bug Fixes:

ng-srcset: Addresses a Content Spoofing vulnerability and failure to sanitise image URLs set by the $compileProvider.imgSrcSanitizationWhitelist().
- This patch addresses the CVE-2024-8372 vulnerability, where users could bypass image source restrictions using ng-prop-srcset (1.8.8 only) and ng-attr-srcset Angular attributes.
- This patch addresses the CVE-2024-8373 vulnerability, where users could bypass image source restrictions in picture>source elements using the [srcset] attribute.
  Notes: The <picture> HTML element and the srcset attribute are not supported by IE, unless polyfill is used.

Non-Security Based Updates

Gitlab FOSS v17.5.0
Added (145 changes)
Fixed (132 changes)
Changed (205 changes)
Deprecated (6 changes)
Removed (40 changes)
Security (13 changes):

[Prevent guest access to project templates](https://gitlab.com/gitlab-org/gitlab/-/commit/30cdc6ad27b6fabcedcd381eedddc306db911546)
[Skip content when listing conflict files with types](https://gitlab.com/gitlab-org/gitlab/-/commit/00b8a6c8f52722b58d6e2f134579a2bd3aeb62a0)
[Do not create a pipeline on MR refresh if source branch was deleted](https://gitlab.com/gitlab-org/gitlab/-/commit/480d0bd7ccdca6f93ff715abcd6c2fa7a9bebec2)
[Escape OAuth application name on authorize page](https://gitlab.com/gitlab-org/gitlab/-/commit/18520b5abefbf3d63b39ca786274cdd388c73e97)
[Remove access to local requests via cube query service](https://gitlab.com/gitlab-org/gitlab/-/commit/ac39cbe4c47622259b06b92f4557d697fd2a8831)
[Prevent deploy keys from pushing code to an archived project](https://gitlab.com/gitlab-org/gitlab/-/commit/7950fe587ec01257909ee1c6f4035e4477b97c6a)
[Hide version info from unauthorized users](https://gitlab.com/gitlab-org/gitlab/-/commit/7cc59acbd64189bc4cd6f6a3a3c829a51ac855ed)
[Return for admin condition if user authentication with job token](https://gitlab.com/gitlab-org/gitlab/-/commit/f5e8c0286f0245eb5704c036ecabeddfc8c7d757) ([merge request](https://gitlab.com/gitlab-org/gitlab/-/merge_requests/167449))
[External webhook token should be set](https://gitlab.com/gitlab-org/gitlab/-/commit/0dbce3f1a8d18540e9914abfba7d73e8eadf9a80)
[Updates Summarize Comments LLM Prompt](https://gitlab.com/gitlab-org/gitlab/-/commit/e0ed4fc43edb5da97568a7148f0e0f40f4b41221)
[Hide system notes with invalid references](https://gitlab.com/gitlab-org/gitlab/-/commit/975ac7740d0b5dc7026020872e73fb1b543f5aed)
[Reset dependency proxy maven credentials when registry url is changed](https://gitlab.com/gitlab-org/gitlab/-/commit/2e3b0d702470cb6080a8cd329d9f97f27205e3e8)
[Implement input sanitization for SummarizeComments](https://gitlab.com/gitlab-org/gitlab/-/commit/a0ff56cc58330b1b3e6ad133de203f0655a6e227)

Performance (11 changes)
Other (146 changes)

Grafana v11.2.2+security-01

Bug fixes:
**SQL Expressions**: Fixes CVE-2024-9264

Jenkins 2.481

This is an automatically generated changelog draft for Jenkins weekly releases. See for the official changelog for this release._

New Features and Improvements:

[JENKINS-73813] - Show a notification when scheduling a build fails (#9787) @mawinter69
Refine content and appearance of the 'Edit View' screen (#9833) @janfaracik
Winstone 8.2: Upgrade Jetty from 12.0.13 to Jetty 12.0.14 (#9841) @basil

Bug Fixes:

[JENKINS-72979] - Remove trailing space from Windows agent secret file instructions (#9739) @debayangg
[JENKINS-73835] - Do not allow builds to be deleted while they are still running and ensure build discarders run after builds are fully complete (#9810) @dwnusbaum
[JENKINS-63343] - Validate element types for collections and maps when deserializing XML files (#9727) @dwnusbaum

Changes for plugin developers:

Create a new taglib to capture the save/apply bottom bar (#9813) @Vlatombe

Tests:

Add tests for empty directory in tar and zip archives (#9809) @basil

Other changes:

[JENKINS-30101] - [JENKINS-30175] - Simplify persistence design for temporarily offline status (#9855) @Vlatombe

Keycloak 26.0.1
Upgrading:

Before upgrading refer to the migration guide for a complete list of changes.

All resolved issues
Enhancements:

#32152 Clarify the behaviour of multiple Operator versions installed in the same cluster operator
#33275 Better logging when error happens during transaction commit storage

Bugs:

#8935 keycloak.js example from the documentation leads to error path adapter/javascript
#19358 Issue with concurrent user & group delete, unable to cleanup resource server user-policy & group-policy authorization-services
#31848 Repeated email verifications while logging in through IDP caused by email case sensitivity authentication
#32266 LDAP Import: KERBEROS_PRINCIPAL not updated when UserPrincipal changes and user already exists ldap
#32617 Nightly Cypress tests for the Admin Console are failing on Firefox admin/ui
#32844 Login V2: Missing "dir" attributes login/ui
#32847 Admin UI defaults to master realm even without permissions to it admin/ui
#32962 Possible issue with unavailable CryptoIntegration when using keycloak-authz-client with private_key_jwt and ECDSA algorithm oidc

#33513 Can get authorization code on a non verified user with some specific kc_action (AIA) oidc

#33539 Keycloak In Docker: ERROR: Strict hostname resolution configured but no hostname setting provided docs
#33549 Flaky test: org.keycloak.testsuite.broker.KcOidcBrokerTest#testPostBrokerLoginFlowWithOTP_bruteForceEnabled ci
#33557 Unable to submit forms in Safari account/ui
#33576 Broken links / anchors after KC26 release docs
#33578 In imported realms, the ability to use environment variables has disappeared import-export
#33585 Fix runaway asterisk formatting in TLS documentation docs
#33638 Non-optimized start command gives erroneous warnings for runtime spi options dist/quarkus
#33642 RTL not working on keycloak.v2 login template login/ui
#33645 keycloak-js register broken: createRegisterUrl not awaited adapter/javascript
#33699 Failure to redirect to organization IdP when the organization scope is included organizations
#33735 Organizations section is shown in account console if organizations is not enabled for a realm. account/ui
#33776 [Regression] 26.0.0 return empty "access: []" JWT for Docker-v2 Auth provider, resulting in "access denied" authentication
#33777 Error when adding or removing a user from an organisation when there are 2 or more Keycloak servers in a cluster organizations
#33780 Upgrade to 26 fails with 'ERROR: index "idx_us_sess_id_on_cl_sess" does not exist' core
#33814 NPE when device representation cannot be parsed authentication
#33817 NEP when Default Role is not present on CachedRealm infinispan
#33874 [Keycloak CI] - AuroraDB IT - Error creating EC2 runner instance
#33875 [Keycloak CI] - FIPS IT - Failed to fetch maven
#33883 Auth not possible for auth session where user was enabled in the meantime authentication
#33907 NPE thrown in whoami endpoint admin/ui
#33967 password is a required field admin/ui.

Jenkins 2.481
Enhancement:

Show a notification when scheduling a build fails. JENKINS-73813
Refine content and appearance of the Edit View page. pull 9833
Upgrade Winstone to 8.2 in order to update Jetty from 12.0.13 to 12.0.14. pull 9841, Jetty 12.0.14 changelog, Winstone 8.2 changelog
Retain user-generated offline reason when agent connects or disconnects for technical reasons. pull 9855, JENKINS-30101, JENKINS-30175
Developer: Add a new taglib saveApplyBar for configuration forms. pull 9813

Bug fix:

Ignore values with incorrect types when deserializing collections and maps in XML files. JENKINS-63343
Remove trailing space from Windows agent secret file instructions. JENKINS-72979
Do not allow builds to be deleted while they are still building. Ensure build discarders only process builds which have fully completed. JENKINS-73835

Node v23.0.0
We’re excited to announce the release of Node.js 23! Key highlights include:

Enabling `require(esm)` by default for Node.js applications
Removing support for Windows 32-bit systems
Stabilizing the `node --run` command
Enhancements to the test runner, including glob pattern support for coverage files

Node.js 23 will replace Node.js 22 as the ‘Current’ release line when Node.js 22 enters long-term support (LTS) later this month.

According to the release schedule, Node.js 23 will remain the ‘Current’ release for the next six months, until April 2025.

Other Notable Changes:

[`7ad0cc3e57`] - **(SEMVER-MAJOR)** **build**: remove support for 32-bit Windows (Michaël Zasso) [#53184]
[`83eb4f2855`] - **(SEMVER-MINOR)** **deps**: V8: cherry-pick cd10ad7cdbe5 (Joyee Cheung) [#52535]
[`b8493a5789`] - **doc**: add abmusse to collaborators (Abdirahim Musse) [#55086]
[`7fab6e8885`] - **(SEMVER-MAJOR)** **doc**: use gcc 12 on AIX for Node.js >=23 (Richard Lau) [#54338]
[`d473606040`] - **(SEMVER-MINOR)** **lib**: propagate aborted state to dependent signals before firing events (jazelly) [#54826]
[`06206af181`] - **(SEMVER-MINOR)** **module**: unflag --experimental-require-module (Joyee Cheung) [#55085]
[`0b9249e335`] - **(SEMVER-MINOR)** **module**: implement the "module-sync" exports condition (Joyee Cheung) [#54648]
[`92a25abca9`] - **(SEMVER-MINOR)** **path**: add `matchGlob` method (Aviv Keller) [#52881]
[`12dd4c7575`] - **src**: mark node --run as stable (Yagiz Nizipli) [#53763]
[`4174b73153`] - **test**: support glob matching coverage files (Aviv Keller) [#53553]

Wildfly 34.0.0.Final
Release Notes - WildFly - Version 34.0.0.Final

For the most up-to-date list of all issues resolved, including those resolved as fixed in WildFly 34 after the release date, see the [release notes in JIRA](https://issues.redhat.com/secure/ReleaseNote.jspa?projectId=12313721&version=12433719).
For all changes since WildFly 33.0.0.Final, see the [full changelog](https://github.com/wildfly/wildfly/compare/33.0.0.Final...34.0.0.Final).
Changes in the underlying WildFly Core 26 releases are listed in the WildFly Core JIRA.

Feature Request:
[WFLY-19397] -         [Preview] Jakarta Data support in WildFly Preview
[WFLY-19589] -         [MP Platform 7] MicroProfile REST Client 4.0 (WildFly Preview)
[WFLY-19590] -         [MP Platform 7] MicroProfile Telemetry 2.0
[WFLY-19715] -         [Community] Add documentation for the new attributes added to the HTTP Management Interface to define resource limits.

Enhancement:
[WFLY-19172] -         Add a 'Installing with the WildFly Maven Plugin' section to the 'Installation Guide'
[WFLY-19235] -         Simplify singleton service installation
[WFLY-19268] -         Support running the testsuite against installations provisioned with channels and FPs other than 'wildfly'
[WFLY-19453] -         Minimize size of Otel API module
[WFLY-19464] -         BOMs aligned with WFLY Distributions
[WFLY-19544] -         Allows to make a Galleon package dependency valid for a given stability level
[WFLY-19573] -         Expand WeldCapability to include build compatible extensions
[WFLY-19657] -         Add stability level support to the ApplicationClient parser.
[WFLY-19674] -         Provide a nice icon for IntelliJ IDEA
[WFLY-19692] -         [Docs]WFCORE-6960: Updating the CLI recipes to the new operation
[WFLY-19772] -         Optimize Maven Repositories configuration in Quickstarts
[WFLY-19785] -         Add MP Fault Tolerance test case with multiple concurrent deployments
[WFLY-19793] -         App client container should log java.lang.NoClassDefFoundError failures and other failures while loading the appclient main class

Bug:
[WFLY-10929] -         Unescaped characters in URL from client does not work correctly when allowed for HTTP and HTTPS listeners
[WFLY-11403] -         DistributableTestCase fails intermittently
[WFLY-14825] -         Revisit permissions in DatabaseTimerServiceMultiNodeTestCase
[WFLY-15822] -         GroupListenerTestCase fails intermittently
[WFLY-16973] -         Singleton deployment tests failing too frequently on CI
[WFLY-17871] -         Example from JavaDoc throws WFLYEE0047: Incompatible conflicting binding at java:module/concurrent/MyExecutor source: lookup (java:comp/DefaultManagedExecutorService)
[WFLY-18456] -         GroupListenerTestCase fails on IBM JDK
[WFLY-19271] -         Distributed timer service drops timeout events if server is suspended
[WFLY-19304] -         Datasources - XML configuration not valid according to schema
[WFLY-19327] -         FORM and OIDC auth method in different wars but same ear not working
[WFLY-19349] -         Add missing protostream marshaller (and Immutability) for SessionMap.Mutex
[WFLY-19361] -         EJB timer executed before the @PostConstruct of a @Singleton @Startup bean has finished with HA profile
[WFLY-19374] -         [CLUSTERING] java.lang.NullPointerException 'because "v" is null' when node leaves the cluster
[WFLY-19419] -         Distributed timer service should consolidate timeouts that would execute in the past
[WFLY-19514] -         Calendar-based local timers do not coalesce missed timeouts
[WFLY-19570] -         Update HostExcludesTestCase configuration to work with WF33
[WFLY-19577] -         Undertow ServerAdd could not detect referenced capabilities
[WFLY-19583] -         Deployment-related undertow metrics are not exported
[WFLY-19584] -         Fix typo in pom.xml - goal "provisioning" to "provision"
[WFLY-19594] -         Shared github action workflow fails when retrieving log files on linux
[WFLY-19596] -         wildfly-maven-plugin missing version in wildfly-ee-builder
[WFLY-19601] -         Intermittent failure in NotClosingInjectedContextTestCase
[WFLY-19606] -         Clustering tests against Infinispan server are failing on JDK23
[WFLY-19610] -         @PostConstruct on Servlet may be called twice
[WFLY-19613] -         Performance regression with HttpSession.getAttribute
[WFLY-19614] -         QS ejb-txn-remote-call OpenShift profile build from root folder failed
[WFLY-19619] -         Microprofile tests against Artemis server are failing on JDK23
[WFLY-19622] -         Quickstarts: remove unused Arquillian dependencies
[WFLY-19651] -         Restore configuration CLI commands produce a warning messages for remote-helloworld-mdb QS
[WFLY-19658] -         Compile-time annotation processing fails with SE 23
[WFLY-19676] -         Some Quickstarts are wrongly listed as OpenShift incompatible
[WFLY-19681] -         DatabaseTimerPersistence$RefreshTask can delay other threads' timer additions or removals when detecting many Timer removals from the database
[WFLY-19693] -         Unexpected Warning message during shutdown - failed sending message: java.lang.InterruptedException
[WFLY-19709] -         Many tests failing with Java Security Manager on Java 17+
[WFLY-19712] -         A quickstarts logs JIPIORMV6020262 warning message after deploy
[WFLY-19719] -         jaxrs-jwt Quickstart has the helm chart in wrong folder
[WFLY-19727] -         jboss-ejb-client_1_5.xsd schema incorrectly requires <http-connections/>
[WFLY-19747] -         Using MP FT with multiple deployments fails with ISE "Timer already exists"
[WFLY-19755] -         Running an appclient without specifying the appclient jar fails
[WFLY-19760] -         Distributions contain zips of feature packs's index at their root
[WFLY-19766] -         Quickstarts: ha-singleton-deployment redeploy-affected results in 'Deployment overlay singleton-deployment does not exist.'
[WFLY-19777] -         Provisioning of 'preview' stability Jakarta Data modules is possible in a higher stability context
[WFLY-19779] -         Quickstarts that depend on RESTeasy or HTTP Client missing commons-logging transitive
[WFLY-19787] -         Intermittent failures in TLSSyslogAuditLogTestCase
[WFLY-19797] -         The MicroProfile TCK parent POM does not override the feature-pack name for the bootable JAR preview
[WFLY-19798] -         Fixing mistakes in pom.xml files
[WFLY-19802] -         jboss-client.jar is missing SASL anonymous provider
[WFLY-19806] -         Clustered singleton no longer working for MDBs
[WFLY-19817] -         The wildfly-ee-preview user bom doesn't include Jakarta Data
[WFLY-19826] -         Quickstart test for spring-resteasy try to sent request to wrong URL
[WFLY-19828] -         Test for quickstart jta-crash-rec contain wrong default URL
[WFLY-19830] -         Update instruction in the readme for logging quickstart
[WFLY-19839] -         Quickstart helloworld-jsm have configuration CLI script in resource folder
[WFLY-19843] -         EJB - application security domain doesn't remove capability
[WFLY-19849] -         On-demand anonymous singleton service have no mechanism to start
[WFLY-19862] -         UNDERTOW-2444 - Undertow HTTP2 breaks protocol specification in RST_STREAM scenarios

GitHub Release Notes:

In addition to the JIRA-focused notes above, we also provide GitHub generated release notes, which provide links to relevant pull requests. These only reflect work since the WildFly 34.0.0.Beta1 release; the JIRA-based content above covers both 34.0.0 Beta and Final.

What's Changed:

WFLY-19605 Add a CI job to check for non-i18n INFO/WARN/ERROR logging by @RanabirChakraborty in #18116
Bump org.junit:junit-bom from 5.10.2 to 5.10.4 by @dependabot in #18239
Bump org.wildfly.plugins:wildfly-bom-builder-plugin from 2.0.6.Final to 2.0.7.Final by @dependabot in #18233
Bump org.apache.groovy:groovy from 4.0.22 to 4.0.23 by @dependabot in #18231
Bump version.org.eclipse.jetty from 9.4.55.v20240627 to 9.4.56.v20240826 by @dependabot in #18219
WFLY-19767 Bump version.org.eclipse.microprofile.openapi from 3.1.1 to 3.1.2 by @dependabot in #18222
[WFLY-19768] MicroProfile Reactive Streams Operators 3.0.1 by @kabir in #18228
[WFLY-19784] Bump org.eclipse:yasson from 3.0.2 to 3.0.4 by @dependabot in #18142
[WFLY-19327] Validate it's possible to secure two apps within the same EAR with FORM and OIDC credential support by @rsearls in #18130
[WFLY-19769] Prove that appclient main can access ear/lib jar classes by @scottmarlow in #18229
[WFLY-19787] Harden against intermittent failures by configuring max… by @bstansberry in #18247
[WFLY-19794] Upgrade WildFly Arquillian to 5.1.0.Beta5 by @bstansberry in #18253
[WFLY-19609]:Remove the bouncycastle dependency from org.jboss.as.web… by @jimma in #18246
[WFLY-19793] App client container should log java.lang.NoClassDefFoundError failures and other failures while loading the appclient main class by @scottmarlow in #18251
WFLY-19782 Upgrade SmallRye Fault Tolerance to 6.4.1 + WFLY-19785 test case by @rhusar in #18265
Bump org.wildfly.arquillian:wildfly-arquillian-bom from 5.1.0.Beta5 to 5.1.0.Beta6 by @dependabot in #18263
WFLY-19798 Fixing couple of mistakes / typos in pom.xml files by @TomasHofman in #18262
WFLY-19590] [WFLY-19797] [MP Platform 7] MicroProfile Telemetry 2.0 by @jasondlee in #18191
WFLY-19606 Add a workaround for ISPN-16703 by @rhusar in #18261
WFLY-19268] Support running WildFly Channels-based test profiles usi… by @bstansberry in #18252
[WFLY-19759] Test MicroProfile Reactive messaging multiple deployments by @kabir in #18250
[WFLY-19273] Fix failures in "Standard - Alt Dist - Linux - JDK 11" nightly job by @bstansberry in #18248
WFLY-19590 Update MicrometerSetupTask package name to new package. by @rhusar in #18268
WFLY-19818, WFLY-19819 Upgrade Infinispan to 14.0.32.Final, JGroups to 5.2.29.Final by @pferraro in #18276
[WFLY-19821] Suppress CVE-2024-45772 and [WFLY-19822] Suppress CVE-2024-47554 by @darranl in #18279
[WFLY-19815] Make ProvisioningConsistencyBaseTest more resilent to ch… by @yersan in #18273
[WFLY-19817] Include Jakarta Data in the WildFly Preview user boms by @bstansberry in #18274
[WFLY-19803] Update the WildFly vs WildFly Preview document for curre… by @bstansberry in #18275
WFLY-19349 Ensure SessionMap#Mutex marshaller is registered. by @pferraro in #18278
[WFLY-19820] Upgrade WildFly Core to 26.0.0.Final by @yersan in #18277
Fix for WFLY-19172, Add a 'Installing with the WildFly Maven Plugin' section to the 'Installation Guide' by @jfdenise in #18257
[WFLY-19172] Add WildFly Maven Plugin Guide to the release doc index by @bstansberry in #18282
WFLY-19806 Restore singleton MDBs to working state. by @pferraro in #18269
[WFLY-19824] Workaround for AMQP start problem by @kabir in #18280
[WFLY-19827] Suppress CVE-2024-9329 as it related to the GlassFish server not the libraries. by @darranl in #18285
[WFLY-19802] Add wildfly-elytron-sasl-anonymous to jboss-client.jar by @fjuma in #18291
WFLY-19843: deregister capability on removal by @michpetrov in #18293
WFLY-19806 Restore singleton MDBs to working state (Take II) by @pferraro in #18295
[WFLY-19860] Upgrade WildFly Core to 26.0.1.Final by @bstansberry in #18304

**Full Changelog**: https://github.com/wildfly/wildfly/compare/34.0.0.Beta1...34.0.0.Final

View all OpenUpdate editions >

October 24, 2024

Stay Informed

Security Based Updates

Non-Security Based Updates